rlogind(1M)




NAME

     in.rlogind, rlogind - remote login server


SYNOPSIS

     /usr/sbin/in.rlogind


DESCRIPTION

     in.rlogind is the server for  the  rlogin(1)  program.   The
     server  provides a remote login facility with authentication
     based on privileged port numbers.

     in.rlogind is invoked by inetd(1M) when a remote login  con-
     nection is established, and executes the following protocol:

        o  The server checks the client's  source  port.  If  the
           port  is  not in the range 512-1023, the server aborts
           the connection.

        o  The server checks the client's source address.  If  an
           entry  for  the  client  exists in both /etc/hosts and
           /etc/hosts.equiv, a user logging in from the client is
           not prompted for a password. If the address is associ-
           ated with a host  for  which  no  corresponding  entry
           exists in /etc/hosts, the user is prompted for a pass-
           word, regardless of  whether or not an entry  for  the
           client  is  present in  /etc/hosts.equiv. See hosts(4)
           and hosts.equiv(4).

     Once  the  source  port  and  address  have  been   checked,
     in.rlogind  allocates a pseudo-terminal and manipulates file
     descriptors so that the slave half  of  the  pseudo-terminal
     becomes  the  stdin, stdout, and stderr for a login process.
     The login process is an instance of  the  login(1)  program,
     invoked with the -r.

     The login process then proceeds with the pam(3PAM) authenti-
     cation process. See  SECURITY below.  If automatic authenti-
     cation fails, it reprompts the user to login.

     The parent of the login process manipulates the master  side
     of the pseudo-terminal, operating as an intermediary between
     the login process and the client instance of the rlogin pro-
     gram.   In normal operation, a packet protocol is invoked to
     provide <Ctrl-S> and <Ctrl-Q> type facilities and  propagate
     interrupt signals to the remote programs.  The login process
     propagates the client  terminal's  baud  rate  and  terminal
     type,  as  found  in  the  environment  variable,  TERM; see
     environ(4).


USAGE

     rlogind and in.rlogind are IPv6-enabled. See ip6(7P).


SECURITY

     in.rlogind  uses  pam(3PAM)  for   authentication,   account
     management,  and  session  management. The PAM configuration
     policy, listed through /etc/pam.conf, specifies the  modules
     to  be  used for in.rlogind. Here is a partial pam.conf file
     with entries for the rlogin command using the  "rhosts"  and
     UNIX  authentication  modules, and the UNIX account, session
     management, and password management modules.

     rlogin    auth sufficient    pam_rhosts_auth.so.1
     rlogin    auth requisite     pam_authtok_get.so.1
     rlogin    auth required      pam_dhkeys.so.1
     rlogin    auth required      pam_unix_auth.so.1

     rlogin    account required   pam_unix_roles.so.1
     rlogin    account required   pam_unix_projects.so.1
     rlogin    account required   pam_unix_account.so.1

     rlogin    session required   pam_unix_session.so.1

     With this configuration,  the  server  checks  the  client's
     source  address.  If  an entry for the client exists in both
     /etc/hosts and /etc/hosts.equiv, a user logging in from  the
     client  is  not  prompted  for a password. If the address is
     associated with a host  for  which  no  corresponding  entry
     exists  in  /etc/hosts, the user is prompted for a password,
     regardless of whether or not an  entry  for  the  client  is
     present    in    /etc/hosts.equiv.    See    hosts(4)    and
     hosts.equiv(4).

     If there are no entries for the  rlogin  service,  then  the
     entries  for  the  "other" service will be used. If multiple
     authentication modules are listed,  then  the  user  may  be
     prompted    for    multiple    passwords.    Removing    the
     "pam_rhosts_auth.so.1"    entry     will     disable     the
     /etc/hosts.equiv  and  ~/.rhosts authentication protocol and
     the user would always be forced to type  the  password.  The
     sufficient  flag  indicates  that authentication through the
     pam_rhosts_auth.so.1 module is "sufficient" to  authenticate
     the  user.  Only  if  this  authentication fails is the next
     authentication module used.


ATTRIBUTES

     See attributes(5) for descriptions of the  following  attri-
     butes:

     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    |_____________________________|_____________________________|
    | Availability                | SUNWrcmds                   |
    |_____________________________|_____________________________|


SEE ALSO

     login(1),  rlogin(1),  in.rshd(1M),  inetd(1M),   pam(3PAM),
     environ(4),    hosts(4),    hosts.equiv(4),   inetd.conf(4),
     pam.conf(4),      attributes(5),       pam_authtok_check(5),
     pam_authtok_get(5),   pam_authtok_store(5),   pam_dhkeys(5),
     pam_passwd_auth(5),    pam_unix(5),     pam_unix_account(5),
     pam_unix_auth(5), pam_unix_session(5)


DIAGNOSTICS

     All diagnostic messages are returned on the connection asso-
     ciated  with the stderr, after which any network connections
     are closed. An error is indicated by a leading byte  with  a
     value of 1.

     Hostname for your address unknown.
           No entry in the host name  database  existed  for  the
           client's machine.

     Try again.
           A fork by the server failed.

     /usr/bin/sh: ...
           The user's login shell could not be started.


NOTES

     The authentication procedure used here assumes the integrity
     of  each  client machine and the connecting medium.  This is
     insecure, but it is useful in an ``open'' environment.

     A facility to allow  all  data  exchanges  to  be  encrypted
     should be present.

     The pam_unix(5) module might not be supported  in  a  future
     release.    Similar    functionality    is    provided    by
     pam_authtok_check(5),                    pam_authtok_get(5),
     pam_authtok_store(5),   pam_dhkeys(5),   pam_passwd_auth(5),
     pam_unix_account(5),          pam_unix_auth(5),          and
     pam_unix_session(5).


Man(1) output converted with man2html